SSH fallback to local account if Radius server isn't available

linux freeradius

Enable common-auth (includes pam_unix.so), and change "required" to "sufficient".

auth    sufficient      pam_radius_auth.so
@include common-auth

(2016/05/03 JST) settings for "fallback"

auth    [success=done default=bad authinfo_unavail=bad ignore=ignore]  pam_radius_auth.so localifdown
@include common-auth

Results of pam_radius_auth in the following respective cases:

                       | correct password (in Radius)         | wrong (or UNIX) password
-----------------------+--------------------------------------+-------------------------
Radius Server is alive | PAM_SUCCESS                          | PAM_AUTHINFO_UNAVAIL
-----------------------+--------------------------------------+-------------------------
Radius Server is dead  |             PAM_IGNORE (with localifdown option)
-----------------------+--------------------------------------+-------------------------

As a result:

PAM_SUCCESS          => done (Login success)
PAM_AUTHINFO_UNAVAIL => bad (Login failure)
PAM_IGNORE           => ignore (continue to "common-auth")

There is a note. If the time-out value in pam_radius_auth.conf is too small, it will determine "Radius Server is dead", before receiving the "Access Reject" from the Radius Server.

Related

Get witness disk current vote via PowerShell
Samba TLS Setup
Forward traffic between VLANs with iptables
Passing Authorization Basic Headers Along in Proxy
Cloud Formation template add ingress rule to existing security group
MySQL JDBC force ignore client certificate on AWS RDS
setup nginx with IP as server name
What is the equivalent of using hiera as an ENC in Ansible?
ZFS L2ARC for Mirror Pool
/etc/tor/torsocks.conf not working
IIS not able to access shared network folder
Reverse DNS/bind named-checkzone "zone NS has no address records (A or AAAA) error"